There are several methods by which system administrators can manage the IT
environment's server resources. Though it is possible to manage each server
locally, managing these resources remotely can greatly improve productivity.
Remote administration reduces the administrative overhead required to manage
servers in any size IT organization because it provides the flexibility for
administrators to be centrally located while managing distributed server resources.

Windows Server 2003 provides the tools necessary for administrators to perform
a vast array of management functions on remotely located servers. Server application
and operating system upgrades can be performed remotely, as well as domain controller
promotion/demotion and disk defragmentation.

This chapter describes the tools available for administrators to manage Windows
Server 2003 servers remotely and provides best practices for leveraging remote
administration features.

Using Remote Desktop for Administration

Remote Desktop for Administration is one mode of the Terminal Services built
into Windows Server 2003. Terminal Services can be enabled in one of two
ways:

Terminal Server mode. This is the Application Server mode that was
available in Windows 2000 Server.

Remote Desktop for Administration. This is an enhancement of the Remote
Administration mode of Windows 2000 Server.

This second Terminal Services mode is used to administer Windows Server 2003
servers remotely. Remote Desktop for Administration provides remote access to
the graphical interfacebased tools available in the Windows environment.
Remotely managing servers with Remote Desktop for Administration does not affect
server performance or application compatibility.

Unlike the other terminal service mode, no terminal server Client Access
Licenses (CALs) are required to use Remote Desktop for Administration. Windows
Server 2003 provides two remote administrative sessions, for collaborative
purposes, and a console session.

Enhancements to Remote Administration with Remote Desktop Connection

By taking advantage of the new Terminal Services client, known as the Remote
Desktop Connection (RDC), remote administration is enhanced in Windows Server
2003 in several ways.

The RDC supports a wide selection of hardware devices, so servers can be
managed remotely from several different types of client hardware. The RDC is
supported on the following hardware types:

The RDC allows for automatic restoration of interrupted network connections.
This is key for remote administration. In the event that an administrator is
disconnected in the middle of a mission-critical operation, the RDC will
reconnect the session without losing the administrator's place in the
operation.

The RDC supports a great deal of customization for the look and feel of a
remote session. Providing high color, audio, and full screen sessions, the RDC
allows you to control the graphic options and connection speed. This is an
important feature because as you connect remotely to servers over a slow WAN
link you will want to throttle the bandwidth usage for those particular
sessions.

One of the biggest improvements to the RDC involves client resource
redirection, which is available to Windows Server 2003 and Windows XP. You now
have the capability to access local drives, network drives, and printers through
the remote connection. Cut and paste, as well as large file transfers, can be
accomplished between the client and server in a remote administration
session.

Finally, in addition to the two remote sessions available for remote
administration, Windows Server 2003 allows a console mode that enables you to
connect to the "real" console of the server. Now administrative
functions, such as some software installations that previously required local
interaction, can be performed remotely.

Enabling Remote Desktop for Administration

Enabling Remote Desktop for Administration is a simple procedure. Unlike
Windows 2000, the Remote Desktop for Administration feature is now a separately
configurable component from Terminal Services and has some new flexibility
options previously unavailable.

The default level of encryption for remote
sessions

The default level of encryption for remote sessions is bidirectional 128-bit.
Some older terminal service clients might not support 128-bit encryption.

The Remote Desktop for Administration feature is actually installed by
default in Windows Server 2003, but it is installed in a disabled status for
security reasons. To enable the feature with a default Start menu configuration,
perform the following steps:

From the Control Panel, double-click the System icon.

Choose the Remote tab.

On the bottom of the screen, click the check box to Allow Users to Connect
Remotely to your computer, as shown in Figure
8.1.

If the Windows Server 2003 will be accessed remotely from a terminal server
client that does not support high encryption, the encryption level of the remote
session can be set to Client Compatible. This encryption level will provide the
highest level of encryption to the remote session supported by the client. To
change the default encryption level on the server to Client Compatible, follow
these steps:

Open Terminal Services Configuration from All Programs\Administrative
Tools.

In the right pane, under the Connection column, right-click RDP-Tcp, and
choose Properties.

Set the encryption level to Client Compatible, as shown in Figure
8.2, and click OK to complete the configuration.

Best Practices for Remote Desktop for Administration

Understanding the following aspects of remote administration will enable
system administrators to make the best use of the new Remote Desktop for
Administration features in Windows Server 2003:

Use the Console Mode

With the new console mode of connection available in Windows Server 2003, you
can interact with the remote server as if you are directly at the physical
server. This enables you to see pop-ups and messages that might only appear at
the console.

Configure Disconnect and Reset Timeouts

By default, disconnect and reset timeouts are not set. This has the potential
to lock you out of remote sessions if there are two remote sessions that are
active but in a disconnected state. On the flip side, when configuring the
timeouts, allow enough time so that accidental disconnections can be resumed
without resetting the session. By default, when a connection is broken, the
session goes into a disconnected state and continues to execute whatever process
it is running at that time. If the session is configured to reset when the
connection breaks, all processes running in that session will be abruptly
stopped. Disconnect and reset timeouts can be configured using the Terminal
Services Configuration Administrative tool.

Preventing Eavesdropping

For security purposes, when you are using the console mode of remote
administration, the physical console of the server is automatically locked to
prevent eavesdropping.

Coordinate Remote Administration

With Windows Server 2003, administrators are able to collaborate through
multiple remote sessions. This feature has potential problems, though, if two
administrators are unknowingly connected remotely to the same server. For
instance, server data might be lost if two administrators attempt to perform
disk defragmentation from two remote sessions at the same time.

Distinguish Terminal Services from Remote Administration

Although administrators have the capability to install software through a
Remote Desktop for Administration session, Terminal Services running in Terminal
Server mode provides better installation and environment settings for office
applications. For general desktop and remote application access functionality,
use a dedicated Terminal Server solution.